<
 
 
 
 
×
>
hide
You are viewing a Web site, archived on 03:13:03 Oct 15, 2004. It is now a Federal record managed by the National Archives and Records Administration.
External links, forms, and search boxes may not function within this collection.
JTF-GNO Online NetDefense [DoD-CERT]
spacer
Mission Statement Antivirus Section Vulnerability Management Access DISA Contact Us Webmaster
Virus Advisories
Antivirus Support
Antivirus Training
Antivirus Contracts
Email Subscription
Malicious Code Conference
 
Antivirus Information Virus Definitions McAfee Software Symantec Software Trend Micro Sotware

Home   Antivirus Information   Malicious Code Analysis


Malicious Code Analysis


Introduction
The Task of Malicious Code Analysis
Malicious Code Lab
Code Submittals


Introduction

Malicious code is a broad term that refers to any type of computer software, standalone or embedded, designed to perform some type of unauthorized or undesirable activity.  This includes viruses, worms, trojan horses, and other executable files and scripts that intentionally or unintentionally perform unauthorized activities or act in a malicious manner.  Detailed analysis of this code can provide specific information regarding how malicious code is introduced and propagates on our networks and how we can better protect our systems from it.

Back to Top


The Task of Malicious Code Analysis

Malicious code analysis is broad scoped process with the goal of fully understanding how the code affects systems and networks.  This includes not only what the code does, but how it does it.  The methodology has a number of phases.  Surface analysis of the code is the most straightforward activity, involving a cursory examination of the executable file itself to identify it's basic characteristics and any recognizable content.

The next phase involves actually running the code in a controlled, closely monitored, isolated test environment.  This allows the analyst to observe the behavior of the malicious code both on the local host and across the network. Flexibility of the test environment is critical because different network and system configurations may cause the code to act differently.  If the code tries to connect to a SMTP, DNS, or IRC server the network needs to provide those resources, in the same format and addressing scheme that the code expects, so that the analyst can observe the full performance of the malicious program.  Detailed system and network monitoring tools are employed to thoroughly audit every action of the code.

Finally comes the most difficult stage of malicious code analysis - reverse engineering the code; that is, breaking down the binary code to identify the low-level instructions that are executed.  This type of analysis may reveal actions performed by the code that were undetectable by the monitoring tools used earlier.  While extremely difficult, this is the "holy grail" of malicious code analysis; virtually deriving the source code from a binary.

Back to Top


Malicious Code Lab

The DoD-CERT operates a malicious code lab as part of its large analysis and test network.  The environment is designed to be flexible, scalable, and rapidly reconfigurable.  This allows analysts to quickly reconfigure and restore different systems as malware execution affects the normal configurations.

Back to Top


Code Submittals

The DoD-CERT welcomes the submittal of suspected or confirmed viruses and other types of malicious code from our DoD customers.  This type of information is especially important if you come across a seemingly new virus, or a particularly evasive or destructive piece of code.  The submittal procedure is as follows:

  1. Identify any and all files associated with the malicious code. This could be a single email attachment that was caught by anti-virus software or a set of files that were generated by the code on a completely infected machine.

  2. Add the files to a zipped archive and password protect it with the password "infected". This will ensure that the code does not set off more alarms when submitted via email.

  3. Email the password-protected, zipped file to "virus_submit@cert.mil"

Back to Top

stratcom · disa · iase · disa cio · lecic · site access · privacy · mission · contact us